Configuring wireless is a two-part process; the first part is to identify and ensure the correct driver for your wireless device is installed (they are available on the installation media, but often have to be installed explicitly), and to configure the interface. The second is choosing a method of managing wireless connections. This article covers both parts, and provides additional links to wireless management tools.

The #iw section describes how to manually manage your wireless network interface / your wireless LANs using iw. The Network configuration#Network managers section describes several programs that can be used to automatically manage your wireless interface, some of which include a GUI and all of which include support for network profiles (useful when frequently switching wireless networks, like with laptops).

Device driver

The default Arch Linux kernel is modular, meaning many of the drivers for machine hardware reside on the hard drive and are available as modules. At boot, udev takes an inventory of your hardware and loads appropriate modules (drivers) for your corresponding hardware, which will in turn allow creation of a network interface.

Some wireless chipsets also require firmware, in addition to a corresponding driver. Many firmware images are provided by the linux-firmware package which is installed by default, however, proprietary firmware images are not included and have to be installed separately. This is described in #Installing driver/firmware.

Note: If the proper module is not loaded by udev on boot, simply load it manually. If udev loads more than one driver for a device, the resulting conflict may prevent successful configuration. Make sure to blacklist the unwanted module.

Check the driver status

To check if the driver for your card has been loaded, check the output of the lspci -k or lsusb -v command, depending on if the card is connected by PCI(e) or USB. You should see that some kernel driver is in use, for example:

Note: If the card is a USB device, running dmesg | grep usbcore should give something like usbcore: registered new interface driver rtl8187 as output.

Also check the output of ip link command to see if a wireless interface (usually it starts with the letter "w", e.g. wlp2s1) was created. Then bring the interface up with ip link set interface up. For example, assuming the interface is wlan0:

# ip link set wlan0 up

If you get this error message: SIOCSIFFLAGS: No such file or directory, it most certainly means that your wireless chipset requires a firmware to function.

iw and wireless_tools comparison

The table below gives an overview of comparable commands for iw and wireless_tools. See iw replaces iwconfig for more examples.

iw command

wireless_tools command

Description

iw dev wlan0 link

iwconfig wlan0

Getting link status.

iw dev wlan0 scan

iwlist wlan0 scan

Scanning for available access points.

iw dev wlan0 set type ibss

iwconfig wlan0 mode ad-hoc

Setting the operation mode to ad-hoc.

iw dev wlan0 connect your_essid

iwconfig wlan0 essid your_essid

Connecting to open network.

iw dev wlan0 connect your_essid 2432

iwconfig wlan0 essid your_essid freq 2432M

Connecting to open network specifying channel.

iw dev wlan0 connect your_essid key 0:your_key

iwconfig wlan0 essid your_essid key your_key

Connecting to WEP encrypted network using hexadecimal key.

iwconfig wlan0 essid your_essid key s:your_key

Connecting to WEP encrypted network using ASCII key.

iw dev wlan0 set power_save on

iwconfig wlan0 power on

Enabling power save.

iw

Note:

Note that most of the commands have to be executed with root permissions. Executed with normal user rights, some of the commands (e.g. iwlist), will exit without error but not produce the correct output either, which can be confusing.

Depending on your hardware and encryption type, some of these steps may not be necessary. Some cards are known to require interface activation and/or access point scanning before being associated to an access point and being given an IP address. Some experimentation may be required. For instance, WPA/WPA2 users may try to directly activate their wireless network from step #Connect to an access point.

Examples in this section assume that your wireless device interface is interface and that you are connecting to your_essid wifi access point. Replace both accordingly.

The UP in <BROADCAST,MULTICAST,UP,LOWER_UP> is what indicates the interface is up, not the later state DOWN.

Discover access points

To see what access points are available:

# iw dev interface scan | less

Note: If it displays Interface does not support scanning, then you probably forgot to install the firmware. In some cases this message is also displayed when not running iw as root.

Tip: Depending on your location, you might need to set the correct regulatory domain in order to see all available networks.

The important points to check:

SSID: the name of the network.

Signal: is reported in a wireless power ratio in dBm (e.g. from -100 to 0). The closer the negative value gets to zero, the better the signal. Observing the reported power on a good quality link and a bad one should give an idea about the individual range.

Security: it is not reported directly, check the line starting with capability. If there is Privacy, for example capability: ESS Privacy ShortSlotTime (0x0411), then the network is protected somehow.

If you see an RSN information block, then the network is protected by Robust Security Network protocol, also known as WPA2.

Pairwise ciphers: value in TKIP, CCMP, both, others. Not necessarily the same value than Group cipher.

Authentication suites: value in PSK, 802.1x, others. For home router, you will usually find PSK (i.e. passphrase). In universities, you are more likely to find 802.1x suite which requires login and password. Then you will need to know which key management is in use (e.g. EAP), and what encapsulation it uses (e.g. PEAP). See #WPA2 Enterprise and Wikipedia:Authentication protocol for details.

If you see neither RSN nor WPA blocks but there is Privacy, then WEP is used.

Set operating mode

You might need to set the proper operating mode of the wireless card. More specifically, if you are going to connect an ad-hoc network, you need to set the operating mode to ibss:

# iw dev interface set type ibss

Note: Changing the operating mode on some cards might require the wireless interface to be down (ip link set interface down).

Connect to an access point

Depending on the encryption, you need to associate your wireless device with the access point to use and pass the encryption key:

No encryption

# iw dev interface connect "your_essid"

WEP

using a hexadecimal or ASCII key (the format is distinguished automatically, because a WEP key has a fixed length):

# iw dev interface connect "your_essid" key 0:your_key

using a hexadecimal or ASCII key, specifying the third set up key as default (keys are counted from zero, four are possible):

# iw dev interface connect "your_essid" key d:2:your_key

Regardless of the method used, you can check if you have associated successfully:

# iw dev interface link

WPA2 Enterprise

WPA2 Enterprise is a mode of Wi-Fi Protected Access. It provides better security and key management than WPA2 Personal, and supports other enterprise-type functionality, such as VLANs and NAP. However, it requires an external authentication server, called RADIUS server to handle the authentication of users. This is in contrast to Personal mode which does not require anything beyond the wireless router or access points (APs), and uses a single passphrase or password for all users.

The Enterprise mode enables users to log onto the Wi-Fi network with a username and password and/or a digital certificate. Since each user has a dynamic and unique encryption key, it also helps to prevent user-to-user snooping on the wireless network, and improves encryption strength.

Warning: It is possible to use WPA2 Enterprise without the client checking the server CA certificate. However, you should always seek to do so, because without authenticating the access point the connection can be subject to a man-in-the-middle attack. This may happen because while the connection handshake itself may be encrypted, the most widely used setups transmit the password itself either in plain text or the easily breakable #MS-CHAPv2. Hence, the client might send the password to a malicious access point which then proxies the connection.

eduroam

eduroam is an international roaming service for users in research, higher education and further education, based on WPA2 Enterprise.

Note:

Check connection details first with your institution before applying any profiles listed in this section. Example profiles are not guaranteed to work or match any security requirements.

When storing connection profiles unencrypted, it is recommended restrict read access to the root account by specifying chmod 600 profile as root.

Manual/automatic setup

wpa_supplicant

WPA supplicant can be configured directly by its configuration file or using its CLI/GUI front ends and used in combination with a DHCP client. See the examples in /usr/share/doc/wpa_supplicant/wpa_supplicant.conf for configuring the connection details.

netctl

Warning: Special quoting rules apply: see the SPECIAL QUOTING RULES section in netctl.profile(5).

Tip: Custom certificates can be specified by adding the line 'ca_cert="/path/to/special/certificate.cer"' in WPAConfigSection.

Troubleshooting

MS-CHAPv2

WPA2-Enterprise wireless networks demanding MSCHAPv2 type-2 authentication with PEAP sometimes require pptpclient in addition to the stock ppp package. netctl seems to work out of the box without ppp-mppe, however. In either case, usage of MSCHAPv2 is discouraged as it is highly vulnerable, although using another method is usually not an option. See also [2] and [3].

Tips and tricks

Respecting the regulatory domain

The regulatory domain, or "regdomain", is used to reconfigure wireless drivers to make sure that wireless hardware usage complies with local laws set by the FCC, ETSI and other organizations. Regdomains use ISO 3166-1 alpha-2 country codes. For example, the regdomain of the United States would be "US", China would be "CN", etc.

Regdomains affect the availability of wireless channels. In the 2.4GHz band, the allowed channels are 1-11 for the US, 1-14 for Japan, and 1-13 for most of the rest of the world. In the 5GHz band, the rules for allowed channels are much more complex. In either case, consult this list of WLAN channels for more detailed information.

Regdomains also affect the limit on the effective isotropic radiated power (EIRP) from wireless devices. This is derived from transmit power/"tx power", and is measured in dBm/mBm (1dBm=100mBm) or mW (log scale). In the 2.4GHz band, the maximum is 30dBm in the US and Canada, 20dBm in most of Europe, and 20dB-30dBm for the rest of the world. In the 5GHz band, maximums are usually lower. Consult the wireless-regdb for more detailed information (EIRP dBm values are in the second set of brackets for each line).

Misconfiguring the regdomain can be useful - for example, by allowing use of an unused channel when other channels are crowded, or by allowing an increase in tx power to widen transmitter range. However, this is not recommended as it could break local laws and cause interference with other radio devices.

To configure the regdomain, install crda and reboot (to reload the cfg80211 module and all related drivers). Check the boot log to make sure that CRDA is being called by cfg80211:

$ dmesg | grep cfg80211

The current regdomain can be set to the United States with:

# iw reg set US

And queried with:

$ iw reg get

Note: Your device may be set to country "00", which is the "world regulatory domain" and contains generic settings. If this cannot be unset, CRDA may be misconfigured.

However, setting the regdomain may not alter your settings. Some devices have a regdomain set in firmware/EEPROM, which dictates the limits of the device, meaning that setting regdomain in software can only increase restrictions, not decrease them. For example, a CN device could be set in software to the US regdomain, but because CN has an EIRP maximum of 20dBm, the device will not be able to transmit at the US maximum of 30dBm.

For example, to see if the regdomain is being set in firmware for an Atheros device:

$ dmesg | grep ath:

For other chipsets, it may help to search for "EEPROM", "regdomain", or simply the name of the device driver.

To see if your regdomain change has been successful, and to query the number of available channels and their allowed transmit power:

$ iw list | grep -A 15 Frequencies:

A more permanent configuration of the regdomain can be achieved through editing /etc/conf.d/wireless-regdom and uncommenting the appropriate domain.

WPA supplicant can also use a regdomain in the country= line of /etc/wpa_supplicant/wpa_supplicant.conf.

Troubleshooting

Temporary internet access

If you have problematic hardware and need internet access to, for example, download some software or get help in forums, you can make use of Android's built-in feature for internet sharing via USB cable. See Android tethering#USB tethering for more information.

Rfkill caveat

Many laptops have a hardware button (or switch) to turn off wireless card, however, the card can also be blocked by kernel. This can be handled by rfkill. To show the current status:

# rfkill list

0: phy0: Wireless LAN
Soft blocked: yes
Hard blocked: yes

If the card is hard-blocked, use the hardware button (switch) to unblock it. If the card is not hard-blocked but soft-blocked, use the following command:

# rfkill unblock wifi

Note: It is possible that the card will go from hard-blocked and soft-unblocked state into hard-unblocked and soft-blocked state by pressing the hardware button (i.e. the soft-blocked bit is just switched no matter what). This can be adjusted by tuning some options of the rfkillkernel module.

Hardware buttons to toggle wireless cards are handled by a vendor specific kernel module, frequently these are WMI modules. Particularly for very new hardware models, it happens that the model is not fully supported in the latest stable kernel yet. In this case it often helps to search the kernel bug tracker for information and report the model to the maintainer of the respective vendor kernel module, if it has not happened already.

Observing Logs

A good first measure to troubleshoot is to analyze the system's logfiles first. In order not to manually parse through them all, it can help to open a second terminal/console window and watch the kernels messages with

$ dmesg -w

while performing the action, e.g. the wireless association attempt.

When using a tool for network management, the same can be done for systemd with

# journalctl -f

Frequently a wireless error is accompanied by a deauthentication with a particular reason code, for example:

wlan0: deauthenticating from XX:XX:XX:XX:XX:XX by local choice (reason=3)

Looking up the reason code might give a first hint. Maybe it also helps you to look at the control message flowchart, the journal messages will follow it.

The individual tools used in this article further provide options for more detailed debugging output, which can be used in a second step of the analysis, if required.

Power saving

Failed to get IP address

If getting an IP address repeatedly fails using the default dhcpcd client, try installing and using dhclient instead. Do not forget to select dhclient as the primary DHCP client in the connection manager.

If you can get an IP address for a wired interface and not for a wireless interface, try disabling the wireless card's power saving features (specify off instead of on).

If you get a timeout error due to a waiting for carrier problem, then you might have to set the channel mode to auto for the specific device:

# iwconfig wlan0 channel auto

Before changing the channel to auto, make sure your wireless interface is down. After it has successfully changed it, you can bring the interface up again and continue from there.

Valid IP address but cannot resolve host

If you are on a public wireless network that may have a captive portal, make sure to query an HTTP page (not an HTTPS page) from your web browser, as some captive portals only redirect HTTP.
If this is not the issue, check if you can resolve domain names, it may be necessary to use the DNS server advertised via DHCP.

Setting RTS and fragmentation thresholds

Wireless hardware disables RTS and fragmentation by default. These are two different methods of increasing throughput at the expense of bandwidth (i.e. reliability at the expense of speed). These are useful in environments with wireless noise or many adjacent access points, which may create interference leading to timeouts or failing connections.

Packet fragmentation improves throughput by splitting up packets with size exceeding the fragmentation threshold. The maximum value (2346) effectively disables fragmentation since no packet can exceed it. The minimum value (256) maximizes throughput, but may carry a significant bandwidth cost.

# iw phy0 set frag 512

RTS improves throughput by performing a handshake with the access point before transmitting packets with size exceeding the RTS threshold. The maximum threshold (2347) effectively disables RTS since no packet can exceed it. The minimum threshold (0) enables RTS for all packets, which is probably excessive for most situations.

# iw phy0 set rts 500

Note:phy0 is the name of the wireless device as listed by $ iw phy.

Random disconnections

Cause #1

If dmesg says wlan0: deauthenticating from MAC by local choice (reason=3) and you lose your Wi-Fi connection, it is likely that you have a bit too aggressive power-saving on your Wi-Fi card[5]. Try disabling the wireless card's power saving features (specify off instead of on).

If your card does not support enabling/disabling power save mode, check the BIOS for power management options. Disabling PCI-Express power management in the BIOS of a Lenovo W520 resolved this issue.

Cause #2

If you are experiencing frequent disconnections and dmesg shows messages such as

Cause #3

On some laptop models with hardware rfkill switches (e.g., Thinkpad X200 series), due to wear or bad design, the switch (or its connection to the mainboard) might become loose over time resulting in seemingly random hardblocks/disconnects when you accidentally touch the switch or move the laptop.
There is no software solution to this, unless your switch is electrical and the BIOS offers the option to disable the switch.
If your switch is mechanical (most are), there are lots of possible solutions, most of which aim to disable the switch: Soldering the contact point on the mainboard/wifi-card, glueing or blocking the switch, using a screw nut to tighten the switch or removing it altogether.

Cause #4

Another cause for frequent disconnects or a complete failure to connect may also be a sub-standard router, incomplete settings of the router, or interference by other wireless devices.

To troubleshoot, first best try to connect to the router with no authentication.

If that works, enable WPA/WPA2 again but choose fixed and/or limited router settings. For example:

If the router is considerably older than the wireless device you use for the client, test if it works with setting the router to one wireless mode

Disable mixed-mode authentication (e.g. only WPA2 with AES, or TKIP if the router is old)

Try a fixed/free channel rather than "auto" channel (maybe the router next door is old and interfering)

If the router has quality of service settings, check completeness of settings (e.g. Wi-Fi Multimedia (WMM) is part of optional QoS flow control. An erroneous router firmware may advertise its existence although the setting is not enabled)

Wi-Fi networks invisible because of incorrect regulatory domain

If the computer's Wi-Fi channels do not match those of the user's country, that may result in some in-range Wi-Fi networks becoming invisible, because they use wireless channels that aren't allowed by default. The solution is to configure the regulatory domain correctly, see #Respecting the regulatory domain.

Troubleshooting drivers and firmware

This section covers methods and procedures for installing kernel modules and firmware for specific chipsets, that differ from generic method.

See Kernel modules for general information on operations with modules.

Ralink/Mediatek

rt2x00

Unified driver for Ralink chipsets (it replaces rt2500, rt61, rt73, etc). This driver has been in the Linux kernel since 2.6.24, you only need to load the right module for the chip: rt2400pci, rt2500pci, rt2500usb, rt61pci or rt73usb which will autoload the respective rt2x00 modules too.

A list of devices supported by the modules is available at the project's homepage.

Additional notes

Since kernel 3.0, rt2x00 includes also these drivers: rt2800pci, rt2800usb.

Since kernel 3.0, the staging drivers rt2860sta and rt2870sta are replaced by the mainline drivers rt2800pci and rt2800usb[6].

Some devices have a wide range of options that can be configured with iwpriv. These are documented in the source tarballs[dead link 2018-08-15] available from Ralink.

rt3090

For devices which are using the rt3090 chipset it should be possible to use rt2800pci driver, however, is not working with this chipset very well (e.g. sometimes it is not possible to use higher rate than 2Mb/s).

rt3290

The rt3290 chipset is recognised by the kernel rt2800pci module. However, some users experience problems and reverting to a patched Ralink driver seems to be beneficial in these cases.

rt3573

rt5572

New chipset as of 2012 with support for 5 Ghz bands. It may require proprietary drivers from Ralink and some effort to compile them. At the time of writing a how-to on compilation is available for a DLINK DWA-160 rev. B2 here.

mt7612u

New chipset as of 2014, released under their new commercial name Mediatek. It is an AC1200 or AC1300 chipset. Manufacturer provides drivers for Linux on their support page

Realtek

rtl8192cu

The driver is now in the kernel, but many users have reported being unable to make a connection although scanning for networks does work.

8192cu-dkmsAUR includes many patches, try this if it does not work fine with the driver in kernel.

rtl8723ae/rtl8723be

The rtl8723ae and rtl8723be modules are included in the mainline Linux kernel.

Some users may encounter errors with powersave on this card. This is shown with occasional disconnects that are not recognized by high level network managers (netctl, NetworkManager). This error can be confirmed by running dmesg -w or journalctl -f and looking for output related to powersave and the rtl8723ae/rtl8723be module. If you are having this issue, use the fwlps=0 kernel option, which should prevent the WiFi card from automatically sleeping and halting connection.

/etc/modprobe.d/rtl8723ae.conf

options rtl8723ae fwlps=0

or

/etc/modprobe.d/rtl8723be.conf

options rtl8723be fwlps=0

If you have poor signal, perhaps your device has only one physical antenna connected, and antenna autoselection is broken. You can force the choice of antenna with ant_sel=1 or ant_sel=2 kernel option. [8]

rtl88xxau

Realtek chipsets rtl8811au/rtl8812au/rtl8814au/rtl8821au designed for various USB adapters ranging from AC600 to AC1900.

ath5k

If you find web pages randomly loading very slow, or if the device is unable to lease an IP address, try to switch from hardware to software encryption by loading the ath5k module with nohwcrypt=1 option. See Kernel modules#Setting module options for details.

Some laptops may have problems with their wireless LED indicator flickering red and blue. To solve this problem, do:

ath9k

As of Linux 3.15.1, some users have been experiencing a decrease in bandwidth. In some cases this can fixed by editing /etc/modprobe.d/ath9k.conf and adding the line:

options ath9k nohwcrypt=1

Note: Check with the command lsmod what module(-name) is in use and change it if named otherwise (e.g. ath9k_htc).

In the unlikely event that you have stability issues that trouble you, you could try using the backports-patchedAUR package. An ath9k mailing list exists for support and development related discussions.

Power saving

Although Linux Wireless says that dynamic power saving is enabled for Atheros ath9k single-chips newer than AR9280, for some devices (e.g. AR9285) powertop might still report that power saving is disabled. In this case enable it manually.

On some devices (e.g. AR9285), enabling the power saving might result in the following error:

# iw dev wlan0 set power_save on

command failed: Operation not supported (-95)

The solution is to set the ps_enable=1 option for the ath9k module:

/etc/modprobe.d/ath9k.conf

options ath9k ps_enable=1

Intel

ipw2100 and ipw2200

These modules are fully supported in the kernel, but they require additional firmware. Depending on which of the chipsets you have, install either ipw2100-fw or ipw2200-fw. Then reload the appropriate module.

If you have problems connecting to networks in general or your link quality is very poor, try to disable 802.11n, and perhaps also enable software encryption:

/etc/modprobe.d/iwlwifi.conf

options iwlwifi 11n_disable=1 swcrypto=1

If you have a problem with slow uplink speed in 802.11n mode, for example 20Mbps, try to enable antenna aggregation:

/etc/modprobe.d/iwlwifi.conf

options iwlwifi 11n_disable=8

Do not be confused with the option name, when the value is set to 8 it does not disable anything but re-enables transmission antenna aggregation.[11][12]

In case this does not work for you, you may try disabling power saving for your wireless adapter.

Some have never gotten this to work. Others found salvation by disabling N in their router settings after trying everything. This is known to have be the only solution on more than one occasion. The second link there mentions a 5ghz option that might be worth exploring.

Bluetooth coexistence

If you have difficulty connecting a bluetooth headset and maintaining good downlink speed, try disabling bluetooth coexistence [13]:

/etc/modprobe.d/iwlwifi.conf

options iwlwifi bt_coex_active=0

Disabling LED blink

Note: This works with the iwlegacy and iwlwifi drivers.

The default settings on the module are to have the LED blink on activity. Some people find this extremely annoying. To have the LED on solid when Wi-Fi is active, you can use the systemd-tmpfiles:

/etc/tmpfiles.d/phy0-led.conf

w /sys/class/leds/phy0-led/trigger - - - - phy0radio

Run systemd-tmpfiles --create phy0-led.conf for the change to take effect, or reboot.

To see all the possible trigger values for this LED:

# cat /sys/class/leds/phy0-led/trigger

Tip: If you do not have /sys/class/leds/phy0-led, you may try to use the led_mode="1"module option. It should be valid for both iwlwifi and iwlegacy drivers.

zd1211rw

zd1211rw is a driver for the ZyDAS ZD1211 802.11b/g USB WLAN chipset, and it is included in recent versions of the Linux kernel. See [14] for a list of supported devices. You only need to install the firmware for the device, provided by the zd1211-firmwareAUR package.

hostap_cs

Host AP is a Linux driver for wireless LAN cards based on Intersil's Prism2/2.5/3 chipset. The driver is included in Linux kernel.

Note: Make sure to blacklist the orinico_cs driver, it may cause problems.

ndiswrapper

Ndiswrapper is a wrapper script that allows you to use some Windows drivers in Linux. You will need the .inf and .sys files from your Windows driver.

Warning: Be sure to use drivers appropriate to your architecture (x86 vs. x86_64).

Tip: If you need to extract these files from an *.exe file, you can use cabextract.

backports-patched

backports-patchedAUR provide drivers released on newer kernels backported for usage on older kernels. The project started since 2007 and was originally known as compat-wireless, evolved to compat-drivers and was recently renamed simply to backports.

If you are using old kernel and have wireless issue, drivers in this package may help.